Critical WordPress plugin vulnerability allows spam content on your website
If you installed ‘Display Widgets’ plugin on your WordPress website, remove it immediately because the plugin includes malicious code to publish spam content on WP websites. Read more about the WordPress plugin vulnerability.
Security firm Wordfence researchers have discovered a serious vulnerability in popular WordPress plugin, called ‘Display Widgets’, that allows the author of the plugin to publish any content on your website without your knowledge!
‘Display Widgets’ is one of the popular WordPress plugins which simply allows site admins to change sidebar content for different pages and categories. According to WordPress repository, the plugin is used by some 200.000 WordPress websites.
According to Wordfence research, the authors of the plugin have been using malicious code to create a backdoor on the websites running their plugin. It has been revealed that the malicious code in the geolocation.php file of the plugin creates the WordPress plugin vulnerability and allows the plugin author to post new content on websites running the plugin without the knowledge of site owners. To accomplish this, the malicious code prevents any logged-in user from seeing the new content by using a bulk deletion function to remove traces.
The malicious code is not an exploit. It is a backdoor giving the author access to publish content on websites using the plugin. It does not require ‘other popular plugins’ to work.
The last three versions of the plugin contains the malicious code, in other words the backdoor. It is also noticed that ‘Display Widgets’ plugin was removed from the WordPress repository on July 1.
If you liked this article, follow us on Twitter @Secinform and please subscribe to our newsletter to receive the latest information security news.
408 total views, 1 views today